CVE-2025-60020: 
Linux Debian vulnerability analysis and mitigation

NNCP before version 8.12.0 contains a path traversal vulnerability that allows attackers to read or write files outside of intended directories during freqing and file saving operations via crafted path in packet data. The vulnerability was discovered and reported on September 19, 2025, affecting all versions of NNCP prior to 8.12.0 (MITRE, NNCP Release).

The vulnerability exists because NNCP's freq and file functions accept and act upon paths containing ".." in packet data, despite requiring full paths in configuration. This allows path traversal outside the configured directories. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

An attacker can exploit this vulnerability to read any file that NNCP has access to, including sensitive files like configuration files containing private keys. Additionally, attackers can write files to any location on the system where the NNCP user has write permissions (MITRE).

Users should upgrade to NNCP version 8.12.0 or later, which includes a fix that prevents path traversal by limiting access to below the configured full path. As a temporary workaround, system administrators can disable the freq functionality until the patch can be applied (MITRE).

The vulnerability was responsibly disclosed by Eugene Medvedev to the NNCP development team. The NNCP maintainers quickly acknowledged the issue and merged the provided fix into the develop branch, leading to the release of version 8.12.0 to address the vulnerability (MITRE).